-
Title
Basic Questions about Password Policy Manager -
Description
Basic Questions about Password Policy Manager
-
Resolution
Q: Is it necessary to install the Password Policy Manager (PPM) component?
A: No. The PPM component is optional and is not necessary in order to use Password Manager.
Q: Why would you want to use the PPM component?
A: The PPM component offers a higher degree of controlling what passwords are acceptable in an environment. With PPM you can set policies such as:
- Password Age Rule. Ensures that users cannot use expired passwords or change their passwords too frequently.
- Length Rule. Ensures that passwords contain the required number of characters.
- Complexity Rule. Ensures that passwords meet minimum complexity requirements.
- Required Characters Rule. Ensures that passwords contain certain character categories.
- Disallowed Characters Rule. Rejects passwords that contain certain character categories.
- Sequence Rule. Rejects passwords that contain more repeated characters than it is allowed.
- User Properties Rule. Rejects passwords that contain part of a user account property value.
- Dictionary Rule. Rejects passwords that match dictionary words or their parts.
- Symmetry Rule. Ensures that password or its part does not read the same in both directions.
Q: Must the PPM component be installed on ALL domain controllers?
A: Yes, in order for PPM to function correctly the PPM component needs to be installed on all Domain Controllers. If you do not do this, PPM will not be able to enforce policies to users who are connecting to domain controllers if the PPM component is not installed on that DC.
Q: After you install the PPM component, do you need to reboot the domain controller?
A: Absolutely. If you do not reboot the domain controller the operation system may encounter a blue screen failure. You will be prompted to reboot after performing the installation.
Q: How do you configure rules for a password policy?
A: To configure rules for a password policy:
- On the home page of the Administration site, click the Managed Domains box. The Configure Managed Domains page opens.
- Under the Password policies table heading, click the link next to the domain that you want to manage.
- On the Password Policies for the Domain page, click a policy, and then click the Policy rules tab.
- On the Policy Rules tab, click the rule that you want to configure, and, under the rule's name, modify the appropriate rule settings.
- Repeat step 4 for each of the rules that you want to configure for this password policy, and then click Save.
Q. Does Password Policy Manager override the Native Windows security Policy rules?
A: No, Password Manager works in conjunction with Native Windows secuirty policies, and the more restrictive of the two will be enforced. For instance, if the 'Minimum password length' and 'Max password Age' settings are enabled, then the more restrictive of the two will be enforced.
Example 1:
Minimum password length in Active Directory = 8
Minimum password length in Password Manager password policy = 16
16 is more restrictive, so 16 will be enforced.
Example 2:
Max Password Age in Active Directory = 45
Max Password Age in Password Manager password policy = 30
30 is more restrictive, so 30 will be enforced.
Q. What is the name of the service for the Password Policy Management component?
A: There is no service component for Password Policy Managemer component. PPM gets installed on the Domain Controllers as a password filter.
Q. If the Password Manager service is not available, will users get the Password Policy applied?
A: If Password Policy Manager has been deployed on all domain controllers and the Password Policy has been configured from the Password Manager Admin site, the Password Policy will be applied on all users who are trying to change or reset their password by pressing CTLR+ALT+DELETE. However, users will not be able to manage their passwords when accessing the Password Manager self-service site.